Microsoft has announced the 2019 H2024 (CU1) update for Exchange Server 14. CU14 includes fixes for issues identified based on feedback from Microsoft, a security change, and all previously released Security Updates (SUs)
Enabling Extended Protection in Exchange Server 2019 CU14 Default – Cengiz YILMAZ | Sys Blog
Table of Contents
Extended Protection Enabled by Default
Microsoft announced that it will enable Extended Protection for Exchange Server by default with CU2023 in August 14. This will happen when the installation is done using the graphical interface (GUI) version and when the installation is done using the command-line version without using the /DoNotEnableEP or /DoNotEnableEPFEEWS switches, which are options to not enable EP.
Although the setup enables EP by default, it does not verify whether your organization is ready or able to use EP. For CU14 installation, you need to check the Health Check process and the necessary processes for EP throughout the organization.
If your servers are not ready to use EP (for example, if they are using SSL Offloading or if there are incompatibilities between client and server TLS configurations) and you do not opt out of enabling EP during installation, you may experience issues across your Exchange Server after installing CU14. If this occurs, you will need to make configuration changes to meet the prerequisites for EP, or you can use the EP script to disable EP on that server after installation is complete.
.NET Framework 2022 support in Windows Server 4.8.1
CU14 also introduces support for .NET Framework 2022, which is only for Windows Server 4.8.1 (and cannot be installed on older versions).
TLS 1.3 support moved to CU15
Microsoft had previously announced that TLS 2022 support would be available in CU1.3 when running on Windows Server 14. As testing and validation of Exchange Server with TLS 1.3 continues, and to avoid delaying the release of CU14, TLS 1.3 support will reportedly be released in CU15 later this year.
CVE-2024-21410
To address CVE-2024-21410, you need to allow CU14 Setup to enable Extended Protection (EP) on your Exchange 2019 servers.
Scenario that does not support EP | Action to be taken |
SSL Offloading for Outlook Anywhere | SSL Offloading for Outlook Anywhere must be disabled. If Extended Protection is enabled through Exchange Server CU14, the installer disables SSL Offloading for Outlook Anywhere. |
SSL Offloading in Load Balancer | SSL Offloading is not supported. Instead, you must use SSL bridging with the same SSL certificate as the Exchange Server IIS front end. |
Public folders hosted on Exchange Server 2013, 2016 CU22 (or older), or 2019 CU11 (or older) | All Public folders need to be migrated to currently supported versions, out of support Exchange Server 2013 needs to be decommissioned. |
In hybrid scenario, Modern Hybrid agent is used to publish Exchange Server to the Internet. | Run the Exchange Server CU14 installation in unattended mode and use the /DoNotEnableEPFEEWS switch to not enable Extended Protection on the EWS front-end virtual directory. |
Exchange Server Support Table
Exchange Server 2019 CU14 with CU12 release no longer supported and will not receive any updates in the future. Please update your servers to the latest CU to continue receiving SUs.
Exchange Server | Support Status | Action to be taken |
Exchange 2019 CU13 or CU14 | Supported | Latest SU update |
Exchange 2019 CU 12 (and earlier) | Not supported | Update to latest CU and latest SU |
Exchange 2016 CU23 | Supported | Latest SU update |
Exchange 2016 CU22 (and earlier) | Not supported | Update to CU23 and latest SU |